UK Porn Age Verification Opens Big Privacy Probs

Slack AliceSlogger, Infosecurity Magazine

Imagine, if you will, a world where adult websites can know pretty much everything about you. If you want to surf porn, you give up any expectation of privacy—up to and including having to deal with embarrassing ads popping up on your screen when you’re busy being more wholesome elsewhere.

This scenario isn’t too far off from occurring, absent an amendment to a proposed policy change. The UK wants to add age verification for porn sites. But, privacy is apparently not top-of-mind when it comes to implementation.

The idea is to keep inappropriate content out of the hands of children—an admirable goal (if futile, in the case of enterprising teens). To do this, the government is placing the onus on the websites themselves, with a provision in the Digital Economy Bill.

That provision creates a regulator that is tasked with ensuring that adult content websites will either verify the age of users or face monetary penalties. In the case of overseas sites, it asks payment providers such as VISA to refuse to process UK payments for non-compliant providers.

It’s very different than age verification in the United States, where sites merely require the user to click a box that says he or she is of age—no actual verification required.

More power to the UK for putting some teeth into the process, but David Austen, from the BBFC, who will likely become the age-verification regulator, recently explained the plan and the privacy pitfall in play for the porn. And all alliteration aside, the situation could be concerning:

“Privacy is one of the most important things to get right in relation to this regime. As a regulator, we are not interested in identity at all. The only thing that we are interested in is age, and the only thing that a porn website should be interested in is age. The simple question that should be returned to the pornographic website or app is, ‘is this person 18 or over?’ The answer should be either yes or no. No other personal details are necessary.”

But wait, there’s more:

“However, the age verification regulator has no duties in relation to the age verification systems. They will make sites verify age, or issue penalties, but they are given no duty to protect people’s privacy, security or defend against cybersecurity risks that may emerge from the Age Verification systems themselves.”

Ah—there’s the rub. So to speak.

In other words, it’s up to the individual site to determine what form age verification takes. It shouldn’t shock anyone that there are plenty of self-serving ways to make it happen, and most of them have privacy problems.

As the UK-based Open Rights Group notes, sites could conduct vast data trawls through Facebook and social media to match users with available social data on age. Now that may seem a little stalker-y, but other methods are even more concerning:

“Others plan to link people’s identity across web services and will provide ways to profile people’s porn viewing habits,” Open Rights Group said. “Still others attempt to piggyback upon payment providers and risk confusing their defenses against fraud. Many appear to encourage people to submit sensitive information to services that the users, and the regulator, will have little or no understanding of.”

Data protection rules in the UK allow people to share whatever they agree to share, by providing consent in regards to access to content, apps, websites, services and so on—and study after study shows that most people are willing to trade away quite lot in the name of access and convenience.

“What makes this proposal more dangerous is that the incentives for the industry are poor and lead in the wrong direction,” Open Rights Group noted. “They have no desire for large costs, but would benefit vastly from acquiring user data.”

So, effectively, this opens the door for sites to build databases full of sensitive information, potentially linked to private sexual preferences. It’s not hard to imagine sites building ancillary revenue streams from advertising, targeted upsells and the like. It’s also not hard to imagine hackers and extortionists looking at this trove of information as an incredibly attractive target.

Regardless of how one feels about adult content on the web, the situation offers up thorny discussion points when it comes to consent, information-sharing and the power we give online services. What’s your take?